SAP S/4HANA® migration audit
Use SU22 and SU24 transactions correctly
An SAP security check focuses in particular on the assignment of authorizations. This is what enables users to work with the SAP system in the first place, but it can, under certain circumstances, unintentionally add up to conflicts over the separation of functions or even legally critical authorizations. For this reason, tools for technical analysis must be used regularly to provide the status quo of authorization assignment and thus the basis for optimization.
The passwords of the users are stored in the SAP system as hash values. The quality of the hash values and thus their safety, however, depends on the hash algorithms used. The hash algorithms previously used in SAP systems are no longer considered safe; They can be cracked in a short time using simple technical means. You should therefore protect the passwords in your system in various ways. First, you should severely limit access to the tables where the hash values of the passwords are stored. This applies to the USR02 and USH02 tables and in more recent releases the USRPWDHISTORY table. The best way to assign a separate table permission group to these tables is to do so, as described in Tip 55, "Maintain table permission groups". In addition, you should also control the accesses using the S_TABU_NAM authorization object.
Development
Add missing modification flags in SU24 data: This function complements the modification flag for entries that have changed since the last execution of step 2a in the transaction SU25, i.e., where there is a difference to the SAP data from the transaction SU22. The flag is thus set retrospectively, so that no customer data is accidentally overwritten with step 2a due to missing modification flags.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
The website "www.sap-corner.de" offers a lot of useful information about SAP authorizations.
For example, the Excel file contains a table with the columns Technical role name, description German, description English.